ChangeLog 14.2

2018-08-10

bind-9.10.8_P1: Upgraded.
Fixed a security issue where named could crash during recursive processing
of DNAME records when “deny-answer-aliases” was in use resulting in a
denial of service. Note that “deny-answer-aliases” is rarely used.
For more information, see:

2018-08-02

lftp-4.8.4: Upgraded.
It has been discovered that lftp up to and including version 4.8.3 does
not properly sanitize remote file names, leading to a loss of integrity
on the local system when reverse mirroring is used. A remote attacker
may trick a user to use reverse mirroring on an attacker controlled FTP
server, resulting in the removal of all files in the current working
directory of the victim's system.
For more information, see:

blueman-2.0.6: Upgraded.
This update fixes an issue where blueman-mechanism did not enforce the
polkit action 'org.blueman.network.setup' for which a polkit policy is
shipped. This meant that any user with access to the D-Bus system bus was
able to access the related API without authentication. The result was an
unspecified impact on the networking stack.
Thanks to Matthias Gerstner for discovering this issue.

(Security fix)

2018-07-31

file-5.34: Upgraded.
Fixed a denial of service crash when processing a crafted ELF file.
For more information, see:

2018-07-28

linux-libre-*-4.4.144: Upgraded.
This kernel update enables additional mitigations for spectre_v2 (IBPB and
IBRS_FW). It also enables reporting on the Speculative Store Bypass
vulnerability (aka GPZ Variant 4) which affects Intel processors and must
be patched with a microcode update.
To see the status of CPU vulnerability mitigations on your system, look at
the files in: /sys/devices/system/cpu/vulnerabilities
In addition, these kernels enable SMB2. Here's the complete list of kernel
config changes from the previous 4.4.132:

-X86_DEBUG_STATIC_CPU_HAS n

CIFS_SMB2 n → y

+CC_OPTIMIZE_FOR_PERFORMANCE y

+CIFS_SMB311 n

+X86_FAST_FEATURE_TESTS y

Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:

zlib-1.2.11: Upgraded.
This is a bugfix package update to fix decompression errors when zlib is
used with recent versions of Node.js. Thanks to Ken Zalewski for the report.

2018-06-19

gnupg-1.4.23: Upgraded.
Sanitize the diagnostic output of the original file name in verbose mode.
By using a made up file name in the message it was possible to fake status
messages. Using this technique it was for example possible to fake the
verification status of a signed mail.
For more information, see:

Make cgexec setgid root (setuid root is an unnecessarily large hammer).

Added /etc/cgconfig.d/ directory.

Added “LANG=C” in build script to avoid a bug where rc.cgred reports syntax errors at start.

These changes are tested here, and work with unprivileged containers.
Thanks to chris.willing.

libcgroup-0.41: Rebuilt.
This is a bugfix package update.
Make cgexec setuid root, since the cgred group doesn't exist on 14.2.
This is how the -2 build was, but the change was inadvertently dropped
in the previous update.

libgcrypt-1.7.10: Upgraded.
Use blinding for ECDSA signing to mitigate a novel side-channel attack.
For more information, see:

libcgroup-0.41: Rebuilt.
This is a bugfix package update.
Apply all post 0.41 patches from git, including one for an infinite loop
bug that causes 100% CPU usage on one core. Thanks to chris.willing.

2018-06-08

gnupg2-2.0.31: Upgraded.
Sanitize the diagnostic output of the original file name in verbose mode.
By using a made up file name in the message it was possible to fake status
messages. Using this technique it was for example possible to fake the
verification status of a signed mail.
For more information, see:

2018-06-01

git-2.14.4: Upgraded.
This update fixes security issues:
Submodule “names” come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting “../” into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans.
It was possible to trick the code that sanity-checks paths on NTFS
into reading random piece of memory (CVE-2018-11233).
Credit for fixing for these bugs goes to Jeff King, Johannes
Schindelin and others.
For more information, see:

glibc-zoneinfo-2018e: Rebuilt.
Handle removal of US/Pacific-New timezone. If we see that the machine is
using this, it will be automatically switched to US/Pacific.

2018-05-23

linux-libre-4.4.132: Upgraded.
This kernel upgrade is being provided primarily to fix a regression in the
getsockopt() function, but it also contains fixes for two denial-of-service
security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:

2018-05-04

python-2.7.15: Upgraded.
Updated to the latest 2.7.x release.
This fixes some security issues in difflib and poplib (regexes vulnerable
to denial of service attacks), as well as security issues with the bundled
expat library.
For more information, see:

2018-04-30

openvpn-2.4.6: Upgraded.
This is a security update fixing a potential double-free() in Interactive
Service. This usually only leads to a process crash (DoS by an unprivileged
local account) but since it could possibly lead to memory corruption if
happening while multiple other threads are active at the same time,
CVE-2018-9336 has been assigned to acknowledge this risk.
For more information, see:

2018-03-13

samba-4.4.16: Rebuilt.
This is a security update in order to patch the following defect:
On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users`
passwords, including administrative users.
For more information, see:

2018-03-04

linux-libre-*-4.4.118: Upgraded.
This kernel includes __user pointer sanitization mitigation for the Spectre
(variant 1) speculative side channel attack.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

(Security fix)

You may have to force slackpkg to load the files, even though ChangeLog hasn't changed.

2018-02-11

New FXP package: unrar-5.5.8

2018-02-09

linux-libre-*-4.4.115: Upgraded.
This kernel includes full retpoline mitigation for the Spectre (variant 2)
speculative side channel attack.
Please note that this kernel was compiled with gcc-5.5.0, also provided as
an update for Slackware FreeSlack 14.2. You'll need to install the updated gcc in order
to compile kernel modules that will load into this updated kernel.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:

rsync-3.1.3: Upgraded.
This update fixes two security issues:
Fixed a buffer overrun in the protocol's handling of xattr names and
ensure that the received name is null terminated.
Fix an issue with –protect-args where the user could specify the arg in
the protected-arg list and short-circuit some of the arg-sanitizing code.
For more information, see:

wget-1.19.4: Upgraded.
More bug fixes:
A major bug that caused GZip'ed pages to never be decompressed has been fixed
Support for Content-Encoding and Transfer-Encoding have been marked as
experimental and disabled by default

2018-01-18

bind-9.10.6_P1: Upgraded.
This update fixes a high severity security issue:
Improper sequencing during cleanup can lead to a use-after-free error,
triggering an assertion failure and crash in named.
For more information, see:

2018-01-17

linux-libre-*-4.4.111: Upgraded.
This kernel includes mitigations for the Spectre (variant 2) and Meltdown
speculative side channel attacks.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:

xscreensaver-5.38: Upgraded. Here's an upgrade to the latest xscreensaver.

2018-01-05

R-3.4.3: Upgraded (FXP)

2017-12-20

ruby-2.2.9: Upgraded.
This update fixes a security issue:
Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile
use Kernel#open to open a local file. If the localfile argument starts with
the pipe character “|”, the command following the pipe character is executed.
The default value of localfile is File.basename(remotefile), so malicious FTP
servers could cause arbitrary command execution.
For more information, see:

libXcursor-1.1.15: Upgraded.
Fix heap overflows when parsing malicious files. (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows the
check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to allocate
less memory than needed for subsequent reads.
For more information, see:

libXfont-1.5.1: Rebuilt.
Open files with O_NOFOLLOW. (CVE-2017-16611)
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with “fonts.dir”,
“fonts.alias” or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog (which could then reboot
the system).
For more information, see:

2017-11-28

samba-4.4.16: Rebuilt.
This is a security update in order to patch the following defects:

CVE-2017-14746 (Use-after-free vulnerability.)

All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.

CVE-2017-15275 (Server heap memory information leak.)

All versions of Samba from 3.6.0 onwards are vulnerable to a heap
memory information leak, where server allocated heap memory may be
returned to the client without being cleared.

openssl-1.0.2m: Upgraded.
This update fixes a security issue:
There is a carry propagating bug in the x64 Montgomery squaring procedure.
No EC algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform and
are not believed likely. Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce
information about a private key may be performed offline. The amount of
resources required for such an attack would be very significant and likely
only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.
For more information, see:

2017-10-27

NetworkManager-1.8.4: Upgraded.
This update is provided to address issues with wifi scanning when using the
new wpa_supplicant with certain hardware drivers. If you're not having
problems, you don't need this update (but it probably won't hurt).

network-manager-applet-1.8.4: Upgraded.
This package goes along with the optional NetworkManager update.

php-5.6.32: Upgraded.
Several security bugs were fixed in this release:
Out of bounds read in timelib_meridian().
The arcfour encryption stream filter crashes PHP.
Applied upstream patch for PCRE (CVE-2016-1283).
For more information, see:

wpa_supplicant-2.6: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as “KRACK” (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets. This is the
list of vulnerabilities that are addressed here:

CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.

CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.

CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.

CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.

CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.

xorg-server-1.18.3: Rebuilt.
This update fixes two security issues:
Xext/shm: Validate shmseg resource id, otherwise it can belong to a
non-existing client and abort X server with FatalError “client not
in use”, or overwrite existing segment of another existing client.
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
For more information, see:

2017-09-28

gegl-0.2.0: Rebuilt. Patched integer overflows in operations/external/ppm-load.c that could allow a denial of service (application crash) or possibly the execution of arbitrary code via a large width or height value in a ppm image. For more information, see:

2017-09-21

samba-4.4.16: Upgraded. This is a security release in order to address the following defects: SMB1/2/3 connections may not require signing where they should. A man in the middle attack may hijack client connections. SMB3 connections don't keep encryption across DFS redirects. A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3. Server memory information leak over SMB1. Client with write access to a share can cause server memory contents to be written into a file or printer. For more information, see:

2017-09-18

httpd-2.4.27: Rebuilt. This update patches a security issue (“Optionsbleed”) with the OPTIONS http method which may leak arbitrary pieces of memory to a potential attacker. Thanks to Hanno Bo:ck. For more information, see:

linux-libre-*-4.4.88: Upgraded. This update fixes the security vulnerability known as “BlueBorne”. The native Bluetooth stack in the Linux Kernel (BlueZ), starting at Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in the processing of L2CAP configuration responses resulting in remote code execution in kernel space. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

2017-09-12

emacs-25.3: Upgraded. This update fixes a security vulnerability in Emacs. Gnus no longer supports “richtext” and “enriched” inline MIME objects. This support was disabled to avoid evaluation of arbitrary Lisp code contained in email messages and news articles. For more information, see:

2017-09-08

bash-4.3.048: Upgraded. This update fixes two security issues found in bash before 4.4: The expansion of '\h' in the prompt string allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. The theoretical attack vector is a hostile DHCP server providing a crafted hostname, but this is unlikely to occur in a normal Slackware configuration as we ignore the hostname provided by DHCP. Specially crafted SHELLOPTS+PS4 environment variables used against bogus setuid binaries using system()/popen() allowed local attackers to execute arbitrary code as root. For more information, see:

2017-09-03

2017-08-12

xorg-server-1.18.3: Rebuilt. This update fixes two security issues: a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server allowed authenticated malicious users to access potentially privileged data from the X server. For more information, see:

2017-08-12

git-2.14.1: Upgraded. Fixes security issues: A "ssh://..." URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage). Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash “-” as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(Security fix)

mercurial-4.3.1: Upgraded. Fixes security issues: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. For more information, see:

dbus-1.10.8: Rebuilt. Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't need it and 2) it can cause the boot process to hang if dbus times out. Thanks to SeB for a link to the bug report and patch.

bind-9.10.5_P3: Upgraded. Fix a regression in the previous BIND release that broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. Compiled to use libidn rather than the deprecated (and broken) idnkit.

rpcbind-0.2.4: Rebuilt. Fixed a bug in a previous patch where a svc_freeargs() call ended up freeing a static pointer causing rpcbind to crash. Thanks to Jonathan Woithe, Rafael Jorge Csura Szendrodi, and Robby Workman for identifying the problem and helping to test a fix.

2017-07-14

mariadb-10.0.31: Upgraded. This update fixes bugs and security issues. For more information, see:

samba-4.4.15 Upgraded. This update fixes an authentication validation bypass security issue: “Orpheus' Lyre mutual authentication validation bypass” All versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos are vulnerable to a man-in-the-middle attack impersonating a trusted server, who may gain elevated access to the domain by returning malicious replication or authorization data. Samba binaries built against MIT Kerberos are not vulnerable. For more information, see:

httpd-2.4.27 Upgraded. This update fixes two security issues: Read after free in mod_http2 (CVE-2017-9789) Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) Thanks to Robert Swiecki for reporting these issues. For more information, see:

xscreensaver-5.37: Upgraded. Here's an upgrade to the latest xscreensaver.

2017-07-02

linux-libre-*-4.4.75: Upgraded. This kernel fixes security issues that include possible stack exhaustion, memory corruption, and arbitrary code execution. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

mkinitrd-1.4.10: Upgraded. Added support for -P option and MICROCODE_ARCH in mkinitrd.conf to specify a microcode archive to be prepended to the initrd for early CPU microcode patching by the kernel. Thanks to SeB.

2017-06-27

linux-libre-*-4.4.74: Upgraded. This kernel fixes two “Stack Clash” vulnerabilities reported by Qualys. The first issue may allow attackers to execute arbitrary code with elevated privileges. Failed attack attempts will likely result in denial-of-service conditions. The second issue can be exploited to bypass certain security restrictions and perform unauthorized actions.

Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

sudo-1.8.20p2: Upgraded. This is a bugfix release: Fixed a bug parsing /proc/pid/stat when the process name contains a newline. This is not exploitable due to the /dev traversal changes made in sudo 1.8.20p1.

2017-05-30

lynx-2.8.8rel.2: Rebuilt. Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use the new URL for the Lynx homepage. Thanks to John David Yost.

sudo-1.8.20p1: Upgraded. This update fixes a potential overwrite of arbitrary system files. This bug was discovered and analyzed by Qualys, Inc. For more information, see:

2017-04-19

minicom-2.7.1: Upgraded. Fix an out of bounds data access that can lead to remote code execution. This issue was found by Solar Designer of Openwall during a security audit of the Virtuozzo 7 product, which contains derived downstream code in its prl-vzvncserver component. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467 (Security fix)

2017-04-14

bind-9.10.4: Upgraded. Fixed denial of service security issues. For more information, see:

2017-04-01

samba-4.4.13: Upgraded. This is a bug fix release to address a regression introduced by the security fixes for CVE-2017-2619 (Symlink race allows access outside share definition). Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details.

2017-03-28

mariadb-10.0.30: Upgraded. This update fixes security issues: Crash in libmysqlclient.so. Difficult to exploit vulnerability allows low privileged attacker with logon to compromise the server. Successful attacks of this vulnerability can result in unauthorized access to data. For more information, see:

2017-03-24

mcabber-1.0.5: Upgraded. This update fixes a security issue: An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5604 (Security fix)

samba-4.4.12: Upgraded. This update fixes a security issue: All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619 (Security fix)